Global Journal of Advance Engineering Technologies and Sciences
EXPERIMENTING VARIABLE LENGTH PATTERNS FOR INTRUSION
DETECTION
Deepika Pathak
1, Dr. Sharad Gangele
21
Research Scholar,
2Prof,
1,
Department of Computer Science and Application, RKDF University, Bhopal
2Department of Computer Science, RKDF Universtiy, Bhopal
ABSTRACT
Because of expanding occasions of security assaults from most recent quite a long while, security heads were utilizing interruption location framework as a trustable device to identify security vulnerabilities. There are many investigates concentrating on have based interruption discovery frameworks utilizing framework call designs, however every one of them experience the ill effects of high FPR. Numerous analysts on framework call design based interruption recognition utilizes variable length framework call designs. This paper indicates test result completed with variable length designs lastly finishes up the work.
Keyword
—Anomaly Detection; Intrusion Detection; Statistical based.INTRODUCTION
The increasing attempts of security attacks forces security administrator to use intrusion detection system as a trustable tool to detect security vulnerabilities. The intrusion detection system is a specially designed tool to detect security vulnerabilities [1][2]. The detection process can be real time or offline detection. There are two types of intrusion detection system based on location of intrusion detection, HIDS and NIDS. The host based intrusion detection system uses system call patterns, audit logs, log files, CPU different parameters as a source of information. On the other hand network based intrusion detection system uses router table information, network packets, server logs for detecting intrusions. For building an IDS two approaches are used either misuse based or anomaly based. In misuse based system knowledge about specific attacks and system vulnerabilities is given in the form of signature. Misuse based system are simple to implement but writing signature to detect attacks is difficult task. Also such systems can not detect zero-day attacks or even variations of attack whose signature is given to system. The anomaly based system is uses system normal behaviour to detect anomalies. It is very powerful method and has the ability to detect unknown attacks [2][3].
The usefulness of anomaly based IDS attracted attention of many researchers, this is because this type of system does not requires signature for each attack [1][2]. The viability of oddity construct framework is depends with respect to wellspring of data, how the data is utilized and edge picked. This paper takes travel that examines distinctive HIDS and their constraints, so valuable ideas from these analysts can be taken to manufacture new HIDS that can furnish high DR with little FPR. Whatever remains of paper is composed as takes after: Section 2 covers writing survey. what's more, area 2 contains finishing up comments
.
LITERATURE
MODELS
The models given in this section are either taken from previous researches or extension to previous researches, such that comparison can be possible for experimental setup. The experiments given in this section lets us to compare effectiveness of different models.
All given models uses Variable Length Patterns (VLP) for generating normal profile. The variable length pattern generation is given in Wespi et al [00].
A. VLPTMR (VLP and Total Mismatch Rate)
This is similar model proposed by Wespi et al [12], in this model variable length system call patterns are extracted and used as normal profile. During detection, mismatches encountered while pattern extracting process is accounted. The threshold over total mismatch rate (TMR) is used for decision making.
B. VLPLMR (VLP and Local Mismatch Rate)
This model is change over prior VLPTMR demonstrate. This model uses variable length designs for producing ordinary profile database. Amid location, a Locality Frame is kept up of length l and jumbles experienced in neighborhood area l are utilized for basic leadership. This model makes utilization of nearby confound rate (LMR) for basic leadership since it has been found in before inquires about [8][9] that, anomaly occurred in burst. Also setting up threshold over for total trace length is difficult task as; length of trace can be different [9].
C. VLPLRI (VLP and Local Rarity Index)
This model uses combination of variable length patterns and Rarity-Index for anomaly detection. Initially, use of Rarity-Index was done by Vardi et al [11], be that as it may, their model uses settled length designs. The VLPRI display at first concentrates all the variable length designs and computes Rarity-Index of all extricated designs. This Pattern-Rarity Index database is utilized as would be expected profile. Amid discovery, Locality Frame is utilized for keeping extricated design Rarity-Index in neighborhood district. On the off chance that at any given time, the rarity index of local region drops below certain threshold then sequence is flagged as anomalous.
The motivation for this model is taken from research done by Warrender et al [9] and Vardi et al [11], in which they found that rare sequences are anomalous, but none of the research focuses on use of Rarity-Index on variable length patterns. It can be understood that, if patterns encounter in detection phase are rarely used then there is possibility that attack is in progress. This fact is taken from researches on human behaviour, in which it is found that a human normally uses only those commands that are popular in community. To compromise the computer system, attacker executes a commands sequence that is unknown in community or very rarely used, thus making detection possible.
D. VLPLMRRI (VLP- Local Mismatches And Rarity-Index)
This model uses variable length designs, neighborhood confuse rate and Rarity-Index for oddity identification. The developing need of enhancing DR with decreased FPR brings is inspiration driving this model. It tries to give more noteworthy control over DR and FPR. This model uses Pattern-Rarity Index word reference as typical profile. Amid recognition, two Locality Frames are utilized one holds Rarity Index of experienced examples and different holds jumbles experienced amid shaping given arrangement (call it as battle while framing next grouping). Two thresholds t1 and t2 are set on to the locality frames so as to categorize system call traces.
E. SAVLP (Semantic Analysis of VLP)
The semantic relationship is utilized as a part of this model for distinguishing inconsistencies. The semantic investigation of framework call designs is at first done by Creech et al [17], yet the meaning of word in there show is wrong and preparing time required for lexicon era is huge. This model is adjustment over Creech et al [17] demonstrate, in which VLP are considered as words and expressions of various length are separated from preparing information by consolidating contiguous examples. At last Rarity-Index of all removed expressions is ascertained and kept up in Phrase-Rarity Index lexicon. This Phrase-Rarity Index dictionary is used as semantic information of program system call patterns.
phrases are not present in Phrase-Rarity Index database then rarity index is assumed to be 1. Thus dropping the average Rarity-Index of phrases seen in local region (most popular phrases have Rarity-Index -1).
RESULTS
The evaluation of given models is done using UNM intrusion detection dataset. The processes extracted from UNM dataset are, login, ps, ftp, lpr. The experimental settings for evaluating above systems are kept similar, so that results from different models can be compared. The experimental settings are given in TABLE 1.
TABLE 1 EXPERIMENTAL SETTING
Process Name Total Normal Traces Extracted
Number of Normal Training
Traces
Number of Test Traces Norma
l
Attac k
Login 9 4 5 12
ftp 7 4 3 5
lpr 5 3 2 1001
ps 24 20 4 26
According to requirements of each experiment, normal profile for each program is generated and detection performed for different threshold levels. Finally for each system ROC curve is plotted to understand relationship between DR and FPR rate.
FIGURE 1. VLPTMR MODEL RESULTS
The experimental results of experiment 1 are shown in figure 1. It shows that the best DR is 40%, as threre was no FPR at perticular DR.
FIGURE 2. VLPTMR MODEL RESULTS
FIGURE 3. VLPLRI MODEL RESULTS
The experiment 3 result are conducted for process ps and login, it shows very poor performance for local region length of 6. The problem with using rarity index is that, Rarity-Index is useful only when there is complete training data or huge training data.
FIGURE 4. SAVLPR MODEL RESULTS
The experiment 4 results for login process are shown in figure 4. It shows that after using semantic analysis concepts with variable length system call patterns, the detection rate reached up to 88% with FPR 0%. The results The results other processes are not tested.
CONCLUSION
It has been discovered that variable length designs are helpful for lessening the lexicon measure required to profile typical action of a program. Be that as it may, it is likewise found while testing that, design extraction utilizing technique proposed by Wespi et al [12] does not cover all framework call designs, this is because of determination of longest example while design coordinating. It is additionally discovered that, the utilization of single edge for interruption location creates FPR, subsequently in future frameworks there ought to be utilization of more than one edge. At long last, the intrusion detection system must make use of approximate pattern matching to reduce FPR, encountered due to incomplete training.
REFERENCES
[1] John McHugh, Alan Christie, and Julia Allen, ”The Role of Intrusion Detection Systems, IEEE SOFTWARE,SEP 2000.
[2] Mehdi Bahrami and Mohammad Bahrami, “An overview to Software Architecture in Intrusion Detection System”, Soft Computing And Software Engineering (JSCSE), 2011.
[3] Herve Debar, “An Introduction to Intrusion-Detection Systems”, IBM Research, 2011.
[4] Debra Anderson, Teresa F. Lunt, Harold Javitz, Ann Tamaru, Alfonso Valdes, "Haystack: an intrusion detection system”, Aerospace Computer Security Applications Conference, Oct. 7481, Dec 1988.
[6] Stephanie Forrest, and Alan Peterson, "Self - Nonself Discrimination in Computer”, Proceeding of 1994 IEEE Symposium on Research in Security and Privacy, 1994.
[7] S. Forrest,S. A. Hofmeyr and A. SoMayaji, ”A sense of self for Unix Processes”, IEEE Symposium, May 1996. [8] S. Forrest,S.A. Hofmeyr and A. SoMayaji, ”Intrusion Detection Using Sequences of System Calls”, IEEE
Symposium, May 1996.
[9] C. Warrender, S. Forrest, and B. Pearlmutter, ”Detecting intrusions using system calls: alternative data models”, Proceedings of the 1999 IEEE Symposium,1999.
[10] A. Somayaji and S. Forrest, "Automated Response Using System-Call Delays.", Proceedings of the 9th USENIX Security Symposium, The USENIX Association, Berkeley, 2000
[11] Wen-Hu Ju and Yehuda Vardi, “Profiling Unix Users And Processes Based On Rarity of Occurrences Statistics with Applications to Computer Intrusion Detection”, Fourth Aerospace Computer Security Applications Conference, October 1988
[12] John Andreas Wespi and Herv Debar, “An intrusion detection system based on the teiresias pattern discovery algorithm”, Proceedings of EICAR, 1998.
[13] Wenke Lee and Salvatore J. Stolfo , "Data Mining Approaches for Intrusion Detection",7th USENIX Security Symposium, Jan 1998.
[14] Xuan Dau Hoang, Jiankun Hu, Peter Bertok, "A Multi-layer Model for Anomaly Intrusion Detection Using Program Sequences of System Calls" ,IEEE, October 1988.
[15] Ye Du, Ruhui Zhang, and Youyan Guo, "A Useful Anomaly Intrusion Detection Method Using Variable-length Patterns and Average Hamming Distance”, Journal of Computers, Aug 2010.
[16] Syed Shariyar Murtaza, Wael Khreich, Abdelwahab Hamou-Lhadj, Mario Couture, "A Host-based Anomaly Detection Approach by Representing System Calls as States of Kernel Modules", IEEE 24th International Symposium on Software Reliability Engineering (ISSRE), 2013.
